diff --git a/gym-manage-api/manage-sys/src/main/java/cn/novalon/gym/manage/sys/config/SecurityConfig.java b/gym-manage-api/manage-sys/src/main/java/cn/novalon/gym/manage/sys/config/SecurityConfig.java
index b80fd51..1d34159 100644
--- a/gym-manage-api/manage-sys/src/main/java/cn/novalon/gym/manage/sys/config/SecurityConfig.java
+++ b/gym-manage-api/manage-sys/src/main/java/cn/novalon/gym/manage/sys/config/SecurityConfig.java
@@ -47,10 +47,10 @@ public class SecurityConfig {
                 .addFilterBefore(jwtAuthenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
                 .addFilterAfter(operationLogWebFilter, SecurityWebFiltersOrder.AUTHORIZATION)
                 .authorizeExchange(spec -> {
-                    spec.pathMatchers("/api/auth/**").permitAll()
+                    spec.pathMatchers("/api/admin/auth/**").permitAll()
+                            .pathMatchers("/api/member/auth/**").permitAll()
                             .pathMatchers("/api/public/**").permitAll()
                             .pathMatchers("/ws/**").permitAll()
-                            .pathMatchers("/**").permitAll()
                             .pathMatchers("/actuator/**").permitAll();
 
                     if (isDevOrTest) {
@@ -60,7 +60,7 @@ public class SecurityConfig {
                                 .pathMatchers("/v3/api-docs/**").permitAll()
                                 .pathMatchers("/swagger-resources/**").permitAll()
                                 .pathMatchers("/webjars/**").permitAll()
-                                .pathMatchers("/api/diagnostic/**").permitAll();
+                                .pathMatchers("/api/admin/diagnostic/**").permitAll();
                         logger.info("SecurityConfig: Swagger路径和诊断端点已放行");
                     }